0

I've successfully setup courier+postfix to work with multiple email domains on the same server. At the moment I have these lines in /etc/courier/imap-ssl:

TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/ssl/certs

Changing them to this works great:

TLS_CERTFILE=/home/certs/certs/certificate.pem.ww2.endofstars.com
TLS_TRUSTCERTS=/home/certs/chains/endofstars.crt

The first contains the cert from the authority and my private key. The second has the certificate chain. Thunderbird doesn't show my customers the "No legetimate business will used unsigned certs" message, and running:

openssl s_client -connect ww2.endofstars.com:993

returns this, which makes me think it's working. But it's downhill from there. When I change my TLS_CERTFILE setting to:

TLS_CERTFILE=/home/certs/certs/certificate.pem

Thunderbird once again complains about an invalid cert. This file doesn't exist, but the imap-ssl docs say that it should automatically append the host name in order to find the certificate.pem.ww2.endofstars.com file. Using openssl to query it again shows this error, and mail.log reports:

imapd-ssl: couriertls: /home/certs/certs/certificate.pem: error:02001002:system library:fopen:No such file or directory

It's not appending the host name. The comments in imap-ssl say the multi-domain approach is "GnuTLS only", but I'm not sure how to tell if I have it installed. Running ldd /usr/sbin/couriertcpd shows:

linux-vdso.so.1 =>  (0x00007fffa75ff000)
libgdbm.so.3 => /usr/lib/x86_64-linux-gnu/libgdbm.so.3 (0x00007fcff8433000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fcff8076000)
/lib64/ld-linux-x86-64.so.2 (0x00007fcff8640000)

But I don't know if I'm doing it right, or it it would show whether gnutls is used. I'm on ubuntu server 12.04.

EricP
  • 115
  • 1
  • 8

1 Answers1

1

You can find out which SSL/TLS library Courier is using by typing ldd /usr/bin/couriertls (this could be a different path on another distribution).

You'll see that on Ubuntu 12.04, it's compiled against OpenSSL (as the package dependencies also indicate: see courier-ssl and courier-imap-ssl). If you want it to be compiled against GnuTLS, you'll have to download the package source (apt-get source courier-ssl) and adapt its configuration to use GnuTLS instead (you'll likely to have to install the GnuTLS and gnutls-dev packages too). You may need to read the Debian/Ubuntu packaging documentation to find which options to change. The configuration files would be under courier-0.66.../debian.

OpenSSL also supports Server Name Indication now (which is what you want to use for this), but this might not be supported in Courier yet (I'm not sure). This message seems to indicate it might happen in future versions.

Bruno
  • 4,069
  • 1
  • 20
  • 37
  • For me, having security patches automatically applied is more important than getting the certs working, so I'd prefer to stick to the default packages. However, I found in the documentation for authmysql (http://www.courier-mta.org/authlib/README.authmysql.html) that custom paths can be provided for certs; so I'm going to try that. – EricP Jun 17 '12 at 20:39
  • @JoeCoder This link is for for the MySQL authentication module, this has nothing to do with the certs you present as a server to your IMAP clients. This wouldn't solve your problem of adapting the cert file to the requested host name either. – Bruno Jun 17 '12 at 20:48
  • Ok, thanks. You prevented me from wasting time going down a dead-end. – EricP Jun 22 '12 at 02:45